1. Data controller
The data controller is Un Interlude, a French simplified single-shareholder joint-stock company (SASU) registered under SIREN 880 245 931, publisher of Thermoremix.ai. For any question regarding your personal data, contact us at hello@thermoremix.ai.
2. What data we collect
We apply the data minimization principle: we collect only the data strictly necessary for the service to operate.
Identity and account
Email, username, password (bcrypt-hashed — never stored in plaintext), Thermomix® model owned, preferred language. If signing in via Google or Apple: unique identifier provided by the provider and associated email.
Content you share with us
Recipes you submit (text, URL, photos, descriptions), adapted recipes stored in your notebook, notes, and comments. Photos are kept for the duration of the conversion and deleted after 30 days, unless you save them with a recipe.
Payment data
Stripe customer ID, subscription ID, chosen plan, payment status. Banking details (card number, CVV, IBAN) never pass through our servers — Stripe collects and stores them directly, in accordance with PCI-DSS Level 1.
Technical and usage data
IP address (anonymized after 30 days), approximate country/city derived from IP, device type, browser, service usage events (page views, conversions started) for product improvement purposes.
3. Purposes and legal basis
In accordance with Article 6 of the GDPR, each processing relies on a specific legal basis:
- Performance of the contract — creation and management of your account, recipe conversion, subscription and payment management (art. 6.1.b GDPR).
- Legal obligations — invoices kept for 10 years (Article L.123-22 of the French Commercial Code), tax traceability.
- Legitimate interest — service security, fraud prevention, product improvement based on aggregated usage statistics (art. 6.1.f).
- Consent — post-signup email sequence (cancellable in 1 click via the "unsubscribe" link), non-essential cookies (art. 6.1.a).
4. Processors and transfers
We use a limited number of processors selected for their security level and GDPR compliance. They have access to your data only within the scope of their mission.
| Processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd. | Payment processing | Irlande (UE) |
| MongoDB Atlas | Database hosting | UE (Francfort) |
| Heroku (Salesforce, Inc.) | Application hosting | UE (Dublin) |
| Google Gemini API | Automated recipe conversion | USA |
| OVH SAS | Transactional email delivery | France (UE) |
| Google / Apple OAuth | Social login (optional) | USA |
Transfers to the United States (Google, Apple) are framed by the standard contractual clauses adopted by the European Commission and, where applicable, by the Data Privacy Framework (EC 2023/1795) certifying the relevant US processors.
5. How long do we keep your data?
- Active account: as long as you use the service.
- Inactive account: 24 months without login → warning email, then automatic deletion 30 days later.
- Uploaded but unsaved photos: 30 days after conversion.
- Invoices and billing data: 10 years (accounting legal obligation).
- Technical logs and IP: 30 days, then anonymized.
- Account deleted on request: immediate deletion of identifying data; invoices are kept in anonymized form.
6. Your rights
Under Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access — obtain a copy of the data we hold about you.
- Right to rectification — correct inaccurate information (editable directly from your account).
- Right to erasure — delete your account and your data ("right to be forgotten").
- Right to portability — retrieve your recipes and data in a readable format (JSON or CSV export).
- Right to object — refuse certain processing based on legitimate interest (analytics).
- Right to restriction — temporarily freeze the processing of your data.
- Right to withdraw consent — at any time for marketing emails.
- Post-mortem directives — you can instruct us how to handle your data after your death.
To exercise these rights, write to hello@thermoremix.ai specifying the subject of your request. We will respond within one month maximum. Identification may be requested to verify your identity.
7. Cookies and local storage
The service uses a minimal number of browser-side storage mechanisms:
- Session JWT (essential) — stored locally to keep you signed in. Not shared with third parties.
- Anonymous session identifier (essential) — UUID generated to track your signup funnel before account creation.
- Language preference (essential) — to display the interface in the correct language.
We use no advertising cookies, no third-party tracking pixels (Facebook, TikTok, etc.), nor any external analytics tool (Google Analytics). Our usage tracking is entirely first-party and anonymized.
8. Security
All communications are encrypted in transit (HTTPS/TLS 1.2+). Passwords are bcrypt-hashed (adaptive cost algorithm). Authentication tokens are signed with a secret stored in environment variables, never in source code. Database access is IP-restricted and requires authentication. In case of a data breach affecting your rights and freedoms, we will notify you within 72 hours in accordance with Article 34 of the GDPR.
9. Minors
Pursuant to Article 8 of the GDPR and French law, the service is open to persons aged 16 and over. Users under 16 must obtain prior consent from a parent or guardian. If we discover that an account was created by a minor without parental consent, we will delete it.
10. Changes to this policy
This policy may be updated to reflect legal or technical changes. In case of substantial modification, you will be notified by email with 30 days notice. The most recent version is always accessible at this URL.
11. Complaint to the supervisory authority
If you believe your rights are not being respected despite a request to Thermoremix.ai, you may lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr/fr/plaintes — 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07. EU users may alternatively contact their local supervisory authority.